OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Apache ap_getpass vulnerability
From: Jon Paul, Nollmann (sinsterDARKWATER.COM)
Date: Thu Nov 02 2000 - 21:47:50 CST

> You have an apache module that communicates via SSL with some other
> server.
[...]
> The private key is usually password protected.

In my experience, the private key is almost never password protected.

Reason: since eventually getpass() gets called to read the password,
there is no way to redirect this information from a file. That means
that it is impossible for the webserver to restart unattended: it will
hang waiting for the password to be input, or error-out because there
is no controlling terminal (as would be the case of a startup from
/etc/rc or its subscripts), and therefore the open of /dev/tty will
fail. Since its not reasonable to require the webserver to be
restarted manually at every failure, and a password-protected private
key requires exactly that, no (or few) people password-protect their
private keys. Those few who do password-protect their private
keys arrange alternate configuration mechanisms so that they don't
have to wait on an admin to type the password at every startup.

Otherwise, you're right: if the site depends on an admin typing
a password to restart the webserver at every system boot, then
the getpass() issue arises. 

--
Jon Paul Nollmann ne' Darren Senn                      sinsterballtech.net
Unsolicited commercial email will be archived at $1/byte/day.
The optimist proclaims that we live in the best of all possible worlds; and
the pessimist fears this is true.
                             James Branch Cabell, The Silver Stallion, 1926